diff --git a/dnsmasq-2.81-configuration.patch b/dnsmasq-2.81-configuration.patch
index 0cf66c7..3b3cadd 100644
--- a/dnsmasq-2.81-configuration.patch
+++ b/dnsmasq-2.81-configuration.patch
@@ -1,4 +1,4 @@
-From d07d1bcdd739da00d0acb8c4561c33bc4d27a0da Mon Sep 17 00:00:00 2001
+From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 30 Jun 2020 18:06:29 +0200
 Subject: [PATCH] Modify upstream configuration to safe defaults
@@ -7,11 +7,11 @@ Most important change would be to listen only on localhost. Default
 configuration should not listen to request from remote hosts. Match also
 user and paths to directories shipped in Fedora.
 ---
- dnsmasq.conf.example | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
+ dnsmasq.conf.example | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
 
 diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
-index bf19424..a130118 100644
+index bf19424..36fba33 100644
 --- a/dnsmasq.conf.example
 +++ b/dnsmasq.conf.example
 @@ -22,7 +22,7 @@
@@ -53,7 +53,20 @@ index bf19424..a130118 100644
  # On systems which support it, dnsmasq binds the wildcard address,
  # even when it is listening on only some interfaces. It then discards
  # requests that it shouldn't reply to. This has the advantage of
-@@ -535,7 +541,7 @@
+@@ -121,7 +127,11 @@
+ # want dnsmasq to really bind only the interfaces it is listening on,
+ # uncomment this option. About the only time you may need this is when
+ # running another nameserver on the same machine.
+-#bind-interfaces
++#
++# To listen only on localhost and do not receive packets on other
++# interfaces, bind only to lo device. Comment out to bind on single
++# wildcard socket.
++bind-interfaces
+ 
+ # If you don't want dnsmasq to read /etc/hosts, uncomment the
+ # following line.
+@@ -535,7 +545,7 @@
  # The DHCP server needs somewhere on disk to keep its lease database.
  # This defaults to a sane location, but if you want to change it, use
  # the line below.
@@ -62,7 +75,7 @@ index bf19424..a130118 100644
  
  # Set the DHCP server to authoritative mode. In this mode it will barge in
  # and take over the lease for any client which broadcasts on the network,
-@@ -673,7 +679,11 @@
+@@ -673,7 +683,11 @@
  # Include all files in a directory which end in .conf
  #conf-dir=/etc/dnsmasq.d/,*.conf
  
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 6403de1..a04abaf 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -20,7 +20,7 @@
 
 Name:           dnsmasq
 Version:        2.82
-Release:        2%{?extraversion:.%{extraversion}}%{?dist}
+Release:        3%{?extraversion:.%{extraversion}}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server
 
 License:        GPLv2 or GPLv3
@@ -184,6 +184,10 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
 %{_mandir}/man1/dhcp_*
 
 %changelog
+* Wed Sep 30 2020 Petr Menšík <pemensik@redhat.com> - 2.82-3
+- Listen only on localhost interface, return port unreachable on all others
+  (#1852373)
+
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.82-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild